How can I stop openconnect from changing /etc/resolv.conf?

Use vpn-slice to set up a split tunnel connection wherein your DNS configuration is not modified, and only traffic to a few hosts or IP subnets is routed over the VPN.

It was created for this exact purpose:

I am just using the VPN for a few specific host not for a full Internet connection.

Once you've installed vpn-slice, use it with OpenConnect as a replacement for the standard vpnc-script (you can remove the -v --dump after you've confirmed that it's working properly):

$ openconnect --script "vpn-slice -v --dump host.you.need.to.access some.other.host" \
   vpn-server.your.company.com

This will set the routing tables up so that only traffic to those two particular hosts are routed over the VPN, and will add entries for them to /etc/hosts. Docs have more details.

(I'm the author of vpn-slice, and one of the main contributors to OpenConnect.)


Create the following script /etc/vpnc/no_resolverupdate.sh

#!/bin/sh
#
#
export INTERNAL_IP4_DNS=

. /usr/share/vpnc-scripts/vpnc-script

Make it executable:

chmod +x /etc/vpnc/no_resolverupdate.sh

Then add a line to your connection configuration file (here /etc/vpnc/customer.conf)

echo 'Script /etc/vpnc/no_resolverupdate.sh' >> /etc/vpnc/customer.conf

Alternatively, you can use script hooks, create /etc/vpnc/connect.d/no_resolverupdate.sh with contents

#!/bin/sh
export INTERNAL_IP4_DNS=

To be applied for every connection.


Does vpnc-script look like this? If so, the belows code is why it changes your /etc/resolv.conf:

if [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo
    MODIFYRESOLVCONF=modify_resolvconf_manager
    RESTORERESOLVCONF=restore_resolvconf_manager
elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
    MODIFYRESOLVCONF=modify_resolvconf_suse
    RESTORERESOLVCONF=restore_resolvconf_suse
else # Generic for any OS
    MODIFYRESOLVCONF=modify_resolvconf_generic
    RESTORERESOLVCONF=restore_resolvconf_generic
fi

modify_resolvconf_manager() {
    NEW_RESOLVCONF=""
    for i in $INTERNAL_IP4_DNS; do
        NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver $i"
    done
    if [ -n "$CISCO_DEF_DOMAIN" ]; then
        NEW_RESOLVCONF="$NEW_RESOLVCONF
domain $CISCO_DEF_DOMAIN"
    fi
    echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
}

The 'dirty' way is make the /etc/resolv.conf file immutable:

# chattr +i /etc/resolv.conf

The proper way is edit your vpnc-script to make it shouldn't change the /etc/resolv.conf.